How to configure and protect network security on Linux systems

With the widespread application of Linux systems, network security has become a vital task. While facing various security threats, system administrators need to implement network security configuration and protective measures for servers. This article will introduce how to configure and protect network security on Linux systems, and provide some specific code examples.

1. Configuring the firewall
   Linux system uses iptables as the firewall by default, which can be configured through the following command:

# 关闭现有防火墙
service iptables stop

# 清空iptables规则
iptables -F

# 允许本地回环接口
iptables -A INPUT -i lo -j ACCEPT

# 允许ping
iptables -A INPUT -p icmp -j ACCEPT

# 允许已建立的连接
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# 允许SSH访问
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# 其他访问一律禁止
iptables -P INPUT DROP
iptables -P FORWARD DROP

2. Close unnecessary services
   In Linux systems, there are often some unnecessary services running in the background. These services occupy server resources and also bring potential security risks to the system. You can use the following command to shut down unnecessary services:

# 关闭NFS服务
service nfs stop
chkconfig nfs off

# 关闭X Window图形界面
yum groupremove "X Window System"

# 关闭FTP服务
service vsftpd stop
chkconfig vsftpd off

3. Install and use Fail2ban
   Fail2ban is an open source security tool that can monitor network conditions and detect suspicious logins Try and automatically blacklist restrictions through the firewall to effectively protect network security. Fail2ban can be installed through the following command:

yum install fail2ban -y

Configuration file:/etc/fail2ban/jail.conf

Add custom rules:

# 在jail.conf文件中添加一行：
[my_sshd]
enabled = true
port = ssh
filter = my_sshd
logpath = /var/log/secure
maxretry = 3

Create filter rules :

# 在/etc/fail2ban/filter.d/目录下，创建my_sshd.conf文件，然后编辑：
[Definition]
failregex = .*Failed (password|publickey).* from <HOST>
ignoreregex =

4. Configuring SSH
   SSH is a very powerful and widely used remote login protocol, and it is also the target of many hacker attacks. Therefore, you need to take some security measures when using SSH:

# 修改SSH默认端口
vim /etc/ssh/sshd_config
# 将Port 22修改为其他端口，例如：
Port 22222

# 禁止root登录
vim /etc/ssh/sshd_config
# 将PermitRootLogin yes修改为PermitRootLogin no

# 限制用户登录
vim /etc/ssh/sshd_config
# 添加以下内容：
AllowUsers user1 user2

5. Disable IPv6
   In most server network environments, IPv6 is not required. Disabling IPv6 can effectively reduce the system's Risk of attack:

# 添加以下内容到/etc/sysctl.conf文件中：
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 使用以下命令生效：
sysctl -p

Summary
This article introduces how to configure and protect network security on Linux systems, including configuring firewalls, shutting down unnecessary services, installing and using Fail2ban, and configuring Aspects such as SSH and disabling IPv6. The sample code provided in this article can help administrators complete network security work more conveniently and quickly. In practical applications, corresponding adjustments and improvements should be made according to specific circumstances.

The above is the detailed content of How to configure and protect network security on Linux systems. For more information, please follow other related articles on the PHP Chinese website!